Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
"This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system," the company said in a Wednesday advisory.
"An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."
That said, in order for the exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It's disabled by default.
The following products are affected, if they have a vulnerable release running and have the Out-of-Band AP Image Download feature turned on -
- Catalyst 9800-CL Wireless Controllers for Cloud
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst APs
While updating to the latest version is the best course of action, as temporary mitigations, users can disable the feature until an upgrade can be performed.
"With this feature disabled, AP image download will use the CAPWAP method for the AP image update feature, and this does not impact the AP client state," Cisco added.
The networking equipment major credited X.B. of the Cisco Advanced Security Initiatives Group (ASIG) for discovering the reporting the bug during internal security testing. There is no evidence that the vulnerability has been maliciously exploited in the wild.
Additional Technical Details Emerge
Horizon3.ai has published an analysis of CVE-2025-20188, stating that the flaw stems from a "combination of hard-coded secrets, insufficient input validation, and exposed endpoints" that allows an unauthenticated, remote attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.
Specifically, it exists due to the JWT fallback secret ("notfound") used by backend Lua scripts for upload-related endpoints ("/aparchive/upload" and "/ap_spec_rec/upload/") and that the fact that it allows an unauthenticated user to navigate outside the intended directory.
To escalate the path traversal to remote code execution, all an attacker has to do is to overwrite configuration files used by the service by uploading a malicious version, causing it to be reloaded and the injected commands to be executed.
(The story was updated after publication on June 3, 2025, to include technical details of the flaw shared by Horizon3.ai on May 29.)
